Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.33 — Protection of Records

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.33 ISO 27001ISO 27002BSI ISMS.1

An auditor requests the management review minutes from two years ago. The responsible manager searches through email, shared drives and a legacy document management system. After three hours, the minutes are found — in an obsolete file format that no current application can open. A.5.33 prevents this scenario by requiring that records are protected, accessible and usable throughout their defined retention period.

Records are the organisation’s institutional memory and its proof of compliance. Whether it is a contract, an audit report or an incident log, the record must be retrievable, readable and unaltered when it is needed — potentially years after it was created.

What does the standard require?

  • Develop a retention schedule. The organisation must define how long each type of record is retained, based on legal, regulatory, contractual and business requirements.
  • Protect records from loss and tampering. Records must be protected against unauthorised access, modification, destruction and deterioration throughout their retention period.
  • Classify records appropriately. The level of protection depends on the record’s classification and the requirements that apply to it.
  • Ensure long-term accessibility. Records must remain readable and usable for the entire retention period, even as technology changes. Format migration or conversion may be necessary.
  • Define secure disposal. When the retention period expires, records containing sensitive information must be securely destroyed. The disposal must be documented.

In practice

Categorise records by type and requirement. Group records into categories (financial, contractual, HR, ISMS, technical) and assign retention periods based on the most stringent applicable requirement. For example, if tax law requires 10 years and the customer contract requires 7 years, the retention period is 10 years.

Implement access controls on record storage. Records that are retained for compliance purposes must be protected from modification. Use write-once storage, version-controlled document management systems or access restrictions that prevent editing of finalised records.

Plan for format longevity. Electronic records stored in proprietary formats may become unreadable as software evolves. Where possible, use open, standardised formats (PDF/A for documents, CSV or XML for data). For records in proprietary formats, schedule periodic format assessments and conversion as needed.

Automate disposal where possible. Manual deletion processes are unreliable. Configure storage systems to flag records that have passed their retention period for review and disposal. Document every disposal action, including what was deleted, when and by whom.

Typical audit evidence

Auditors typically expect the following evidence for A.5.33:

  • Retention schedule — documented list of record types with retention periods, legal basis and responsible persons
  • Record management procedure — approved procedure covering storage, access control, format management and disposal
  • Storage and access controls — evidence that record repositories are protected (access logs, write-protection, encryption)
  • Disposal records — documentation of record deletions with timestamps, authorisation and method
  • Format assessment records — evidence that long-term accessibility of electronic records has been reviewed

KPI

% of records managed in compliance with retention and protection requirements

This KPI measures whether records are stored, protected and disposed of according to the retention schedule. Conduct periodic sampling: select records from different categories and verify that they are stored in the correct location, accessible, unaltered and within their retention period. Target: 100% compliance in sampled reviews.

Supplementary KPIs:

  • Percentage of record types with a defined retention period in the retention schedule
  • Number of records past their retention period awaiting disposal
  • Number of format migration actions completed in the last 12 months

BSI IT-Grundschutz

A.5.33 maps to the BSI requirements for documentation and record management:

  • BSI-Standard 200-2, Chapter 5 (Documentation) — requires that all ISMS-related documentation is managed, versioned and retained appropriately.
  • ISMS.1.A13 (Documentation of the ISMS) — mandates that ISMS documentation is maintained and accessible, including records of decisions, assessments and audits.

A.5.33 underpins the evidence and compliance framework:

Sources

Frequently asked questions

What counts as a record under A.5.33?

Any information the organisation must retain as evidence of activities, decisions or compliance. This includes contracts, audit reports, incident logs, training records, policy approvals, meeting minutes, financial documents and system logs. Both physical and electronic formats are covered.

How long must ISMS records be retained?

ISO 27001 does not prescribe specific retention periods. Retention depends on the record type and applicable legal requirements. Tax records may require 10 years, employment records 3-5 years after termination, and ISMS audit reports at least until the next certification cycle. Define retention periods in a retention schedule based on legal analysis.

What about records stored in cloud services?

Cloud storage does not change the retention and protection requirements. The organisation must ensure that the cloud provider's terms allow it to meet retention periods, that records can be retrieved in a usable format and that deletion is verifiable. Include data portability and deletion clauses in cloud service agreements.